Latest payment card security standard takes new approach

The latest version of the Payment Card Industry’s Data Security Standard (PCI DSS) is aimed at making security part of “business as usual”

The latest version of the Payment Card Industry’s Data Security Standard (PCI DSS), to be published on 7 November, will advise companies to make security part of “business as usual”.

“Organisations should aim to make PCI DSS as part of business as usual because the standard provides the best set of requirements and processes for protecting data,” according to Jeremy King, European director of the PCI Security Standards Council (PCI SCC).

To that end, version three focuses on security training – particularly passwords, helping people understand that security is a shared responsibility and giving merchants more flexibility in how they adopt the standard.

Other changes are aimed at ensuring card data security practices are updated to cope with new technologies and trends, such as bring your own device (BYOD) programmes in the workplace.

For the first time, the standard also incorporates the previously separate guidance document into the requirements as an extra column to explain in more detail what is meant and required.

PCI DSS compliance is necessary for any organisation that handles customer payment card data and specifies how that information must be held and protected.

The PCI SSC that administers the security standard claims version three is designed to help organisations take a proactive approach to protect cardholder data, and that it focuses on security, not compliance. 

“It is extremely encouraging that the latest revision of PCI DSS is moving away from focusing solely on compliance, and moving towards best practice security,” said Matt Middleton-Leal, regional director for UK & Ireland at security firm CyberArk.

“As we continue to see privileged account credentials and passwords as primary targets in almost all major breaches, it is great that this latest version of the standard is taking steps towards addressing this crucial part of the problem,” he said.

The revised standard advises that password policies should include guidance on choosing strong passwords, protecting their credentials, changing passwords on suspicion of compromise.

“While this is certainly a step in the right direction, I would argue that we need to go further, to adequately protect these extremely powerful credentials,” said Middleton-Leal.

Rather than waiting for suspicious activity before taking action, organisations should arm themselves with the best possible defence by establishing a centrally managed privileged account security policy, he said.

Middleton-Leal said this approach enables organisations to determine how regularly passwords need to be changed and enable users to set, manage and monitor password security from a single interface.

“By simplifying the password management process and giving control back to the security, risk and audit teams, companies can be sure that they are not only compliant with PCI DSS V3.0, but also that they are doing everything they can to proactively protect their customers’ payment card data,” he said.

PCI DSS V3.0 goes into effect on 1 January 2014, but merchants who have not completed compliance with version two will have until the end of 2014 to begin working on compliance with version three.

Read more about PCI DSS

  • PCI DSS review: Assessing the PCI standard nine years later
  • Podcast: What’s new in PCI-DSS and PA-DSS version 3.0?
  • Using encryption technology to achieve PCI DSS compliance objectives
  • Understanding the PCI DSS prioritized approach to compliance
  • Can predefined DLP rules help prevent HIPAA and PCI DSS violations?
  • PCI DSS 3.0 preview highlights passwords, providers, payment data flow
  • PCI validation: Requirements for merchants covered by PCI DSS
  • Analysis: Inside the new PCI DSS risk assessment

Read more on Privacy and data protection